A goal of the Third Generation Partnership Project (3GPP) Long Term Evolution (LTE) program is to develop new technology, new architecture and new methods for LTE settings and configurations in order to provide improved spectral efficiency, reduced latency, and better utilization of radio resources for faster user experiences and richer applications and services with less cost. As part of these efforts, the 3GPP has introduced the concept of a home, evolved node B (H(e)NB) for LTE networks. 3GPP is also considering a home NB (HNB) for wideband code division multiple access (WCDMA). The acronym H(e)NB is used in this application hereinafter to refer to both a H(e)NB and a HNB.
The H(e)NB gives users access to LTE services (it may also provide WCDMA, Global System for Mobile Communication (GSM) Edge Radio Access Network (GERAN), and other cellular services) over extremely small service areas such as homes and small offices. The user, whether an individual or an organization, will be able to deploy a H(e)NB in an area where such service is desired. A framework for an authentication protocol between the H(e)NB and a Security Gateway (SGW) for the mandatory authentication of the H(e)NB and the optional authentication of a hosting party has also been introduced. The protocol provides a basic framework for device and hosting party authentication and all other later, encrypted communications (under IPsec) between the H(e)NB and the SGW and other core network entities such as a home location register (HLR) and authentication authorization accounting (AAA) server.
Certain internet key exchange v2 (IKEv2) parameters such as MULTIPLE_AUTH_SUPPORTED and CERTREQ have also been introduced as an indicator of the capabilities of the SGW in terms of supporting various possibilities (out of which one should be chosen or negotiated with the HeNB) in the context of H(e)NB authentication. The use of these parameters, however, results in many “ambiguous” situations in terms of the final selection of which type of authentication may be selected.
A number of security threats have also been identified in the above protocol and more generally to the devices and equipment that perform the protocols. The threats considered include but are not limited to: compromise of H(e)NB authentication token by a brute force attack via a weak authentication algorithm; compromise of H(e)NB authentication token by local physical intrusion; inserting a valid authentication token into a manipulated H(e)NB; user cloning the H(e)NB authentication token; man-in-the-middle attacks on H(e)NB first network access; booting H(e)NB with fraudulent software (“re-flashing”); fraudulent software update/configuration changes; physical tampering with H(e)NB; eavesdropping of the other user's universal terrestrial radio access network (UTRAN) or evolved UTRAN (E-UTRAN) user data; masquerading as other users; changing of the H(e)NB location without reporting; software simulation of H(e)NB; traffic tunneling between H(e)NBs; misconfiguration of the firewall in the modem/router; denial of service attacks against H(e)NB; denial of service attacks against core network; compromise of an H(e)NB by exploiting weaknesses of active network services; user's network ID revealed to H(e)NB owner; mis-configuration of H(e)NB; mis-configuration of access control list (ACL) or compromise of the ACL; radio resource management tampering; masquerade as a valid H(e)NB; provide radio access service over a closed subscriber group (CSG); H(e)NB announcing incorrect location to the network; manipulation of external time source; and environmental/side channel attacks against H(e)NB.
It has been also proposed to use location information for authentication of the H(e)NB. An H(e)NB could be located by using one or any combination of the following three types of location information: fixed access line location (e.g. IP address of the H(e)NB's backhaul port); information on macro cells, including macro 3G and 2G cells; and global positioning system (GPS) in the H(e)NB.
Steps for location registration (or certification) and later steps for location-based authentication have also been introduced. These methods, however, suffer from several deficiencies, including the fact that the information about the location being obtained at the H(e)NB may be insecurely handled within the device before being sent to the network.
The deployment of H(e)NBs in LTE and other wireless communication systems introduces security issues that need to be addressed for a successful implementation. As such there exists a need for authentication protocols for a H(e)NB with a trusted environment and an optional hosting party module (HPM) that in some embodiments could be implemented on a UICC.